Okta Device Trust: Integration Setup

By Aaron Alquillera

Learn how to set up and configure the Okta Device Trust integration in Kandji

Okta Device Trust allows Okta admins to ensure that Kandji manages their Apple devices before end users can access Okta-protected apps from their devices. This, in part, enables Okta FastPass for a password-less authentication experience for end-users, enabling them to sign in to Okta and their Okta resources without needing a password. For iOS, iPadOS, and macOS devices specifically, FastPass allows users to leverage Face ID and Touch ID to access resources. Okta FastPass is a feature of Okta Identity Engine.

Prerequisites

During the integration setup process, Kandji will check for the presence of the following items. These items must be configured in the Okta tenant before setting up the ODT integration with Kandji. If Kandji finds one or more of these items missing, a warning modal will be displayed.

The Okta tenant must be migrated from Okta Classic Engine to Okta Identity Engine
Okta FastPass must be enabled in the Okta tenant
The Okta Verify Apple App Store app must be assigned to Kandji via Apps and Books in Apple Business Manager.
The Okta user setting ODT should have the super admin in Okta. The super admin credentials are only needed for the initial authentication and adding if the API Service Integration.
Okta Adaptive MFA is required in order to add Device integrations in Okta.

Integration setup

Login to your Kandji tenant.
Navigate to Integrations
Click Discover Integrations.
In the Security section, find Okta Device Trust and click Add and configure.
In the Welcome to Okta Device Trust modal, click Get started.
In the Specify your Okta Domain modal, enter your Okta tenant URL and click Next.
In the Sign in with Okta modal, click Sign in with Okta. This will open a new browser window and navigate you to your Okta tenant, where you will create an API Service Integration. Once that is done, you will come back to Kandji to continue the ODT integration setup.
```
The Okta user used to configure ODT should have the super admin role in Okta.
```

Once signed into Okta, you should be on the Authorize Kandji Device Trust integration page. On this page, click Install & Authorize.

The Kandji API Service integration uses the following scopes:
    
    okta.devices.manage
    okta.devices.read
    okta.authenticators.read

On the Copy your client secret modal, copy the client secret to a safe place for use later in Kandji.
```
Please copy the Client Secret, as it will be the only time you can view it.
```
Click Done.
On the Kandji Device Trust overview page, copy the Client ID to a safe place for use later in Kandji.
Head back to Kandji to continue the ODT integration setup.
In the Complete the following tasks in Okta modal, click Next.
In the Provide OAuth client credentials modal, enter the Client ID and Client Secret copied from earlier.
Click Connect to Okta. Kandji will check in the background to ensure that the Okta tenant is on Okta Identity Engine and Okta FastPass is enabled.

Configure device platforms in Okta

This section outlines creating device integration in Okta. This information is used when adding device platforms in Kandji.

Okta Adaptive MFA is required in order to add Device integrations in Okta.

Adding device integrations in Okta

Log in to the Okta admin portal
In the left-hand navigation, click Security > Device Integrations
Click Add platform

Add macOS as a device integration

On the Select platform step, select Desktop (Windows and macOS only), click Next
On the Configure management attestation step, for Certificate authority, select Use Okta as certificate authority
For SCEP URL challenge type, select Dynamic SCEP URL and Generic
Next to SCEP URL, click the Generate button
Copy the SCEP URL, Challenge URL, Username, and Password to a safe place. This info will be used later in Kandji when setting up macOS as a device platform.
```
Please copy the password, as it will be the only time you can view it. You can rotate the password later in the  menu from the main Device integrations page in Okta if needed.
```
Click Save.

Add iOS as a device integration

On the Select platform step, select iOS, click Next

On the Configure management attestation step, copy the Secret key to a safe place for use later in Kandji when adding iOS as a device platform in Kandji

Please copy the Secret key, as it will be the only time you can view it. You can rotate the password later in the  menu from the main Device integrations page in Okta if needed.

For Device management provider, enter some like Kandji MDM
For Enrollment link, enter your Kandji tenant’s device enrollment link. (Example: https://accuhive.kandji.io/enroll where accuhive should be your tenant subdomain.)
Click Save

Modifying a device integration in Okta

Rotate a macOS challenge password or iOS Secret

Go to the Device Integrations page
Next to the integration that you want to change, click the Actions menu
Click the reset option for that platform
Click the Reset button in the modal that appears

Delete a macOS challenge password or iOS Secret

Go to the Device Integrations page
Next to the integration that you want to change, click the Actions menu
Click Delete
Click the Delete button in the modal that appears

Configure device platforms in Kandji

In the Configure device platforms modal, select the platforms to configure. You can configure macOS, iOS, or both.
Click Next.
If selecting macOS, enter the required information in the Add macOS as a device platform modal and click Next.
If selecting iOS, enter the required information in the Add iOS as a device platform modal and click Finish setup.
In the Okta Device Trust setup complete modal, you can choose View integration settings to see additional information about the ODT integration in Kandji or choose Go to Library item to configure the Okta Verify app for ODT deployment.

Up next

Deploy ODT to your Apple devices using the Okta Device Trust: Configuring the Okta Verify Library item support article.